USA: Anti-money laundering and bank secrecy in relation to privacy
Financial institutions in the US face a myriad of laws and regulations when it comes to servicing their customers, especially when it comes to international business. At times, the issues of anti-money laundering ('AML') and Know Your Customer ('KYC') can clash with privacy obligations and protections. Daniel A. Cotter, Partner at Howard & Howard Attorneys PLLC, addresses some of the issues presented by the existing privacy legislation and outlines the relationship between them.
Privacy is not embedded in the Constitution of the United States ('the Constitution') and is not an unalienable right. The word 'privacy' is never used in the Constitution. The concept of a 'right to privacy' had been bandied about for some time early in the history of the US, but it started to be seriously discussed in 1890, when a young lawyer by the name of Louis Brandeis wrote a paper, The Right to Privacy1, with his partner, Samuel Warren, that was to have a profound effect on the body of jurisprudence going forward.
In 1960, in a California Law Review Article titled Privacy2, Dean William Lloyd Prosser, of the College of Law at University of California, Berkeley, wrote about privacy and set forth four torts involving privacy:
- intrusion upon seclusion or solitude, or into private affairs;
- public disclosure of embarrassing private facts;
- publicity which places a person in a false light in the public eye; and
- appropriation of name or likeness.
In effect, Prosser gave life to the skeleton of the right to privacy and fleshed the concept out.
The right to privacy has been found by the U.S. Supreme Court to exist implicitly in the Constitution through the First, Third, Fourth, and Fifth Amendments, via the emanations and penumbras to be found.
Bank Secrecy Act of 1970
While the Supreme Court was determining that a right to privacy implicitly existed in the Constitution, the U.S. Congress was considering privacy rights and their application to various liberties, and laws and requirements relating to banking and financial institutions. The US has long had in place various requirements that it imposed on financial institutions, including various regulations that banks had to follow and which were included in the Federal Deposit Insurance Act of 1950, enacted 21 September 19503.
Congress passed the Bank Secrecy Act of 19704 ('the Bank Secrecy Act'), which imposes various requirements, including record-keeping and reporting, for all financial institutions within the US, including foreign banks with branches and agencies in the US. The focus of the reporting is to prevent and detect money laundering, including requiring banks to report cash transactions in excess of $10,000 in one business day, as well as suspicious activities through suspicious activity reports, and foreign bank accounts that have at least $10,000 in them.
In 2001, after the attacks of 9/11, the Bank Secrecy Act was amended by the PATRIOT Act 20015 ('the PATRIOT Act'). Specifically, Title III of the PATRIOT Act6 mandated banks in the US to develop a Customer Identification Program ('CIP'), which was intended to limit the power of, and funding of, terrorist organisations, through the verification of the identity of any customer seeking to open an account, maintaining CIP records for a period of five years after the account is closed, and comparing the customer's name against the government's list of known or suspected terrorists7.
Gramm-Leach-Bliley Act of 1999
In 1999, Congress passed the Gramm-Leach-Bliley Act of 1999 ('GLBA')8, which requires banks to explain what information they collect and how they share and protect such information. The GLBA consists of two main provisions relating to privacy; the privacy rule under §313 of the Electronic Code of Federal Regulations ('the Privacy Rule') and the safeguards rule under §314 of the Electronic Code of Federal Regulations ('the Safeguards Rule').
Included among the provisions is §6825 of the GLBA, which provides for amendments and updates by the agencies responsible for enforcement, stating that they:
"shall prescribe such revisions to such regulations and guidelines as may be necessary to ensure that such financial institutions have policies, procedures, and controls in place to prevent the unauthorized disclosure of customer financial information."
This language, and the GLBA requirements themselves, can be in conflict with the AML and KYC responsibilities that banks have. Whilst the GLBA does not include any private right of action, other newly enacted privacy laws, such as the California Consumer Privacy Act of 2018, may impact the analysis going forward.
Despite the efforts to control money laundering and the use of banks for nefarious purposes, the amount of money that is laundered in the US is estimated to be at least $300 billion per year9. In the US, the primary AML laws are the Bank Secrecy Act described above and its implementing regulations. The responsibility for administering and enforcing the Bank Secrecy Act has been given to the Financial Crimes Enforcement Network.
KYC laws are intended to permit a financial institution or other business the opportunity to verify the identities of its clients and assess those clients' suitability, while at the same time protecting against potentially illegal conduct by the customers. While the US is not alone in having KYC laws, it is by no means in the majority of countries that have such laws10. KYC is designed to protect banks from being used by criminals in money laundering endeavours, and KYC is done through the collection and analysis of personally identifiable information ('PII') that is then screened against the lists, such as those maintained by the Office of Foreign Assets Control to determine wrongdoers, and then creating customer profiles.
Balancing AML with privacy
The Banking Secrecy Act and KYC requirements impose on financial institutions, at times, conflicting signals. The AML and KYC laws are designed to protect the financial institution from fraud and criminal activity by ferreting out wrongdoers through the analysis of PII and due diligence in customers. At the same time, data protection and privacy laws, both in the US and in other countries, such as the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), are designed to protect the customer's identity and permit customer choices to protect the consumer from government and private abuses.
Unlike in the US, where as described above the right to privacy is not part and parcel of our governing documents, in the EU, privacy is a human right specifically engrained in its member states constitutions. The GDPR incorporates that understanding and provides the customer with a number of tools that protect their identity, such as the right to be left alone and forgotten. How banks can comply with these two titans battling for dominance is an open question.
One wrinkle that banks face is that, in some instances, their need to know, understand their customers, and obtain information about them and the transactions they conduct might clash fully and clearly with the rights of the customer to remain anonymous and secret, pursuant to privacy rights.
Banks would do well to examine this 'clash of the titans' closely and develop a robust, well thought out data privacy compliance programme that recognises the bank's obligations under the Banking Secrecy Act and KYC, while at the same time adhering to the rigid and multi-headed hydra that is the privacy regime, not only in the US, but on a worldwide basis. Failure to do so will result in the financial institution being on the wrong end of one, if not both, sides of the clash.
Daniel A. Cotter Partner
Howard & Howard Attorneys PLLC, Chicago
1. Samuel D. Warren, Louis D. Brandeis, The Right To Privacy, Harvard Law Review, Vol. 4, No. 5. (Dec. 15, 1890), pp. 193-220, available at: https://www.jstor.org/stable/1321160?seq=1#metadata_info_tab_contents
2. William L. Prosser, Privacy, 48 CALIF. L. REV. 383 (1960), available at: https://scholarship.law.berkeley.edu/cgi/viewcontent.cgi?article=3157&context=californialawreview
3. Federal Deposit Insurance Act of 1950, Pub. L. 81-797, available at: https://govtrackus.s3.amazonaws.com/legislink/pdf/stat/64/STATUTE-64-Pg873.pdf
4. Available at: https://www.govinfo.gov/content/pkg/STATUTE-84/pdf/STATUTE-84-Pg1114-2.pdf
5. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, Pub. L. 107-56, available at: https://www.govinfo.gov/content/pkg/PLAW-107publ56/pdf/PLAW-107publ56.pdf
6. International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001.
7. The list, published by the U.S. Department of Treasury Office of Foreign Asset Control, can be found at: https://www.treasury.gov/resource-center/sanctions/sdn-list/pages/default.aspx It is an extensive list, and tools are available for financial institutions to check it.
8. The Financial Modernization Act of 1999, Pub. L. 106-102, available at: https://www.govinfo.gov/content/pkg/PLAW-106publ102/pdf/PLAW-106publ102.pdf
9. See ABA Banking Journal, "Treasury: U.S. Money-Laundering Totals $300B Annually," 15 June 2015, available online at: https://bankingjournal.aba.com/2015/06/treasury-u-s-money-laundering-totals-300b-annually/
10. According to research, there are only a dozen countries in addition to the United States that have KYC laws: Australia, Canada, India, Italy, South Korea, Namibia, New Zealand, South Africa, United Kingdom, Luxembourg, Singapore, and Japan.